The Investigator’s Office and Laboratory

Understanding Forensics Lab Accreditation Requirements

• Digital Forensics Lab: This is where you conduct investigations, store evidence, and do most of your work.
  • You use the lab to house your instruments, current and legacy software, and forensic workstations.
• ANSI-ASQ National Accreditation Board: Provides accreditation of crime and forensics labs worldwide. This accreditation includes forensics labs that analyze digital evidence.

Identifying Duties of the Lab Manager and Staff

• The lab manager sets up processes for managing cases and reviews them regularly.
• The manager also sets and encourages the lab's staff to adhere to quality assurance procedures.
• The lab manager also establishes acceptable production schedules for processing work in order to guarantee the lab's effectiveness.
• A safe and secure work environment for workers and evidence is provided by the lab manager, who also develops and oversees lab policies for staff. He keeps track of everything the lab's staff does to finish its work.
• Staff members in a forensics lab should have enough training to perform their tasks.
• The ANAB Website summarizes the requirements of managing a digital forensics lab, handling and preserving evidence, performing laboratory procedures, setting personnel requirements, and encouraging professional development.

Lab Budget Planning

• Expenses for the lab can be divided into monthly, quarterly, and annual costs.
• You can extrapolate anticipated future expenditures by keeping track of past inquiry costs using a spreadsheet tool.
• Start by calculating the number of instances your lab anticipates examining and specifying the kinds of computers you expect to investigate when developing a budget.
• Get enough data to make an educated assumption if you can't locate specific information about the sorts of machines and operating systems used in digital crimes. Building a baseline for the kinds and quantities of systems you can anticipate investigating is your aim.
• Calculate the number of computer system investigations you might do to establish the number of tools required to evaluate these systems.
• Also, you can spot specific software that has been utilized in some crimes.
• Start by compiling a list of all known computing platforms and programs utilized by the company.
• To find out what kinds of grievances and issues were reported in the previous year, check with your management, human resources, and security departments.
• Because disk storage capacity keeps increasing, your budget should accommodate for potential advancements in digital technology.

Acquiring Certification and Training

• International Association of Computer Investigative Specialists (IACIS): One of the oldest professional digital forensics organizations created by police officers who wanted to formalize credentials in digital investigations.
  • Certified Forensic Computer Examiner (CFCE): Candidates who complete the IACIS test successfully.
  • IACIS requires recertification every three years to demonstrate continuing work in the field of digital forensics.
• Certified Cyber Forensics Professional (CCFP): Requires knowledge of digital forensics, malware analysis, incident response, e-discovery, and other disciplines related to cyber investigations.
• High Tech Crime Network (HTCN): Requires a review of all related training, including training in one of its approved courses, and a review of the candidate’s work history.
• EnCase Certified Examiner Certification: Candidates for this certification are required to have a licensed copy of EnCase.
• AccessData Certified Examiner (ACE)
  • ACE certification is open to the public and private sectors and is specific to use and mastery of the AccessData Ultimate Toolkit.
  • Applicants can attend the AccessData BootCamp and advanced FTK courses.
• Other Training and Certifications
  • EC-Council
  • Defense Cyber Investigations Training Academy (DCITA)
  • International Society of Forensic Computer Examiners (ISFCE)
  • Computer Technology Investigators Network (CTIN)
  • Digital Forensics Certification Board (DFCB)
  • Cloud Security Alliance (CSA)

Determining the Physical Requirements for a Digital Forensics Lab

Identifying Lab Security Needs

• True floor-to-ceiling walls in a small space.
• access to a door with a locking system.
• a safe or heavy-duty filing cabinet with a good padlock that keeps the drawers closed would be a secure container.
• Clearly written entries in a visitor's log listing each person who has accessed the lab, together with the date, their time of entry, and their time of exit.

Conducting High-Risk Investigations

• More protection is required for high-risk investigations than the very minimal lab regulations can offer, such as those involving murder or national security.
• Electromagnetic radiation is produced by most electronic equipment (EMR). EMR can be intercepted by specific devices, which can be used to learn what information the device is transmitting or displaying. A computer monitor's EMR can be detected up to a half mile away.
• You might think about building a TEMPEST-qualified lab to safeguard your research, which entails coating the walls, ceiling, floor, and doors with precisely grounded conductive metal sheets.
  • Copper sheeting is used because it conducts electricity well.
• A TEMPEST-qualified lab facility should only be taken into consideration for big regional digital forensics labs that demand total security against illegal eavesdropping because it is expensive and necessitates regular inspection and testing.

Using Evidence Containers

• The evidence container needs to be put in a secure location that only lab staff may access.
• There shouldn't be many people with access rights to the evidence container. Keep track of who has permission to access each container.
• When not directly supervised by an authorized person, all evidence containers must be kept locked.

\

• If a combination locking system is used for your evidence container, follow these practices:
  • Give the combination the same level of security as the contents of the container. Keep the combination in another container that is just as secure.
  • After building up a new combination, destroy any earlier ones.
  • Only authorized workers should be able to alter lock combinations.
  • Update the combination every six months, if any authorized worker departs the company, and as soon as a container is discovered to be unsecured, that is, open and unattended.

\

• If you’re using a keyed padlock, follow these practices:
  • Designate a key custodian who is in charge of issuing keys.
  • Each duplicate key has sequential numbers inked on it.
  • Keep a registry that details which key belongs to which authorized person.
  • Be sure that no authorized individual has misplaced a key by conducting a regular audit.
  • Once the custodian has changed, make a list of all the keys.
  • Put your keys in a secure container that is only accessible by the lab manager and the designated key keeper.
  • Keep the security of keys and evidence containers at the same level.
  • Every year, locks and keys should be replaced. If a key is lost, all related locks should also be replaced.
  • Never use one master key to open several locks.

\

Overseeing Facility Maintenance

• For the health and safety of the lab staff, your lab should always be kept up.
• Furniture, walls, ceilings, and floors should all have any damage fixed right away.
• Moreover, make sure you watch and escort cleaning personnel while they work.
• Antistatic pads should be placed all around electronic workbenches and workstations since static electricity can be a serious issue while handling computer components.
• Keep two distinct trash cans: one for non-investigatory waste (such as CDs that have been dumped) and one for sensitive waste that needs specific care to ensure it is destroyed.
• At a private company, using separate trash cans helps to preserve the confidentiality of trade secrets and attorney-client privileged communications while also protecting the integrity of criminal investigation procedures.

\

Considering Physical Security Needs

• Due to the possibility of losing, corrupting, or harming evidence, a regional computer crime lab requires very stringent physical security requirements.
• Large corporations probably don't need as much physical protection because the chance of evidence loss or breach is so much smaller.
• How much protection you incorporate into your digital forensics lab depends on the risk to your company.
• Regardless of the threat to your lab's security, keep a paper or electronic visitor sign-in journal.
• The visitor's name, date and time of arrival and departure, employer, reason for the visit, and name of the lab staff member greeting the visitor should all be recorded in the log.
• Everyone who isn't assigned to the lab, such as cleaning staff, building maintenance staff, friends, and relatives, should be treated as a visitor.
• To prevent unintentional or intentional tampering with an investigation or piece of evidence, every visitor to the lab should be escorted by a designated authorized staff member the whole time they are there.
• After hours, you can additionally monitor your lab using alarm systems and guards.

\

Auditing a Digital Forensics Lab

• Audits should include, but aren’t limited to, the following facility components and practices:
  • At least once a month, look for anything strange or new in the lab's ceiling, floor, roof, and outside walls.
  • Make sure the doors are closed and locked securely by inspecting them.
  • Inspect locks to see if they require replacement or modification.
  • Examine visitor logs to determine how well they are being used.
  • Examine log books for evidence containers to find out when they were opened and shut.
  • Secure any evidence that isn't being examined by a forensic workstation at the conclusion of each workday.

Selecting a Basic Forensic Workstation

Selecting Workstations for a Lab

• The communities it serves employ a wide range of computing platforms, thus if you're running a lab for a police department in a big city, you definitely have the most varied needs for digital investigation tools.
• The digital forensics lab of a small police department might only include one multipurpose forensic workstation and one or two entry-level workstations or high-end laptops.
• Following forums and blogs that you can uncover through an internet search is one technique to look into older and unique computing platforms.
• Computer systems in a lab should be able to quickly process common instances.
• Increases in hardware technology provide digital forensics additional options.

Selecting Workstations for Private-Sector Labs

• Companies that offer forensic analysis as a commercial service can focus on particular markets.
• In order to serve a larger market, they can also assemble a variety of tools. Their speciality, if any, will determine the kind of equipment they require.
• A multifunctional forensic workstation is sufficient for general digital forensics facilities.
• Based on the types of PCs they utilize, private companies conducting their own internal digital investigations might determine the kind of forensic workstation they require.
• Internal investigators need systems and equipment that support the same sorts of computers if a corporation uses a variety of computer types.

Stocking Hardware Peripherals

• Consider stocking your forensics lab with the following peripheral devices:
  • A digital camera capable of still and motion recording
  • Assorted antistatic bags
  • An external CD/DVD drive
  • 40-pin 18-inch and 36-inch IDE cables, both ATA-33 and ATA-100 or faster
  • Ribbon cables for floppy disks.
  • Extra USB 3.0 or newer cables and SATA cards and associated cables.
  • Extra SCSI cards, preferably ultrawide.
  • Graphics cards, both Peripheral Component Interconnect (PCI) and Accelerated Graphics Port (AGP).
  • Assorted FireWire and USB adapters
  • A variety of hard drives and USB drives (as many as you can afford and in as wide a variety as possible).
  • At least two 2.5-inch adapters from notebook IDE hard drives to standard IDE/ATA drives, SATA drives, and so on.
  • Computer hand tools, such as Phillips and flathead screwdrivers, a socket wrench, any vendor-specific tools, a small flashlight, and an antistatic wrist strap.

Using a Disaster Recovery Plan

• Disaster Recovery Plan: Ensures that you can restore your workstations and file servers to their original condition or a lab-like building if a catastrophic failure occurs.
  • It outlines the steps to take in order to reconstruct a forensic workstation after a virus from a drive you're examining has seriously harmed it.
  • It also discusses how to setup a workstation for a particular study.
• Keep your system backups in a location that is simple to find. A minimum of one backup copy should be kept on-site, and a second, older backup copy should be kept in a secure location off-site.
• Configuration Management: A process of recording all updates you make to your workstation.

Maintaining Operating Systems and Software Inventories

If you deal with Windows PCs, Macintosh systems, and Linux systems, you should have programs for all these OSs.

• Microsoft Office (including current and older versions)
• Hexadecimal editors, such as WinHex or Hex Workshop
• Programming languages, such as Visual Studio, Perl, or Python
• Specialized image viewers, such as Quick View, ACDSee, ThumbsPlus, and IrfanView
• WPS Office, WordPerfect, and a third-party or open-source office suite
• Accounting applications, such as Quicken and QuickBooks

Planning for Equipment Upgrades

• Determining the acceptable level of risk for any process or operation, like replacing equipment, is a part of risk management.
• Establish a schedule for replacing the equipment on which your lab depends. Additionally, make a list of the equipment you can replace if it breaks.
• Schedule hardware upgrades at least every 18 months and preferably every 12 months to maintain your lab up to date with advancements in hardware technology.

Building a Business Case for Developing a Forensics Lab

Preparing a Business Case for a Digital Forensics Lab

• It's crucial to comprehend the necessity of planning in the establishment and ongoing upkeep of a forensics lab.

Justification

• This justification step requires asking the following questions:
  • What kind of digital investigative service does your company require?
  • Who are the possible clients for this service, and how will it be budgeted—as a company security department or police department, for example—or an external operation (a for-profit commercial venture)?
  • How will you get the word out to people about your services?
  • What methods of time management will you employ?
  • Where will the initial and ongoing funding for operations of the firm originate from?

Budget Development

• All of the items listed in the following categories must be included in the budget.
• When calculating the actual cost of these things, you must be as precise as you can.
• Making a mistake could result in delays and the potential loss of the chance to launch or advance your lab.

Facility Cost

• Here are some sample questions to get you started on calculating a budget:
  • How many digital forensics investigators are required?
  • What are the projected expenditures for the annual training each examiner needs?
  • Do you require further labs?
  • How many digital forensics investigators will work out of each lab? Is it necessary to temporarily accommodate other nonexaminers so they can look through newly found evidence?
  • How much does building a safe lab cost?
  • Exists a space that could be transformed into a lab?
  • Does the selected space have adequate heating, ventilation, and air conditioning (HVAC) systems and electrical power?
  • Existing phone and network cables in the allocated room? If not, how much would installing these components cost?
  • Is the door to the allocated room locked securely enough?
  • What is the cost of the furniture?
  • Do you require an alarm system to be installed?
  • Are there any other facility expenses, such as janitorial and maintenance service fees?
  • How many support hours are anticipated if IT assistance is required?

Hardware Requirements

• To determine hardware budget needs, here are some questions to consider in your planning:
  • What kinds of research and data recovery will be carried out at the lab?
  • How many investigations should be anticipated during each operational month?
  • Are there any investigations that must analyze disk data quickly due to a deadline?
  • What number and sizes of drives are required to support a typical investigation?
  • Do you require a fast backup method, such as a DVD burner or tape backup?
  • What kind of computer system will you focus on the most?
  • How will you keep digital evidence stored? How long must you keep it on hand?

Software Requirements

• To determine software budget needs, here are some questions to consider in your planning:
  • What kinds of OSs will be studied at?
  • How often is it necessary to look into earlier, less well-known OSs (such Mac OS 9.x, OS/2, and CP/M) or less common OSs?
  • What specifications must forensics software tools meet? How many of each tool, for instance, are required? How many times a week on average do you use each tool?
  • What kinds of OSs are required to carry out standard examinations?
  • Is specialized software like QuickBooks, FreshBooks, Xero, or Sage 50c required?
  • Is there money set aside to buy multiple forensics software tools?
  • What disk-editing program ought to be chosen for broad data analysis?

Miscellaneous Budget Needs

• To determine miscellaneous budget needs, here are some questions to consider in your planning:
  • Does the operation and staff of the lab require errors and omissions insurance?
  • Do you need a budget for office supplies?

Approval and Acquisition

• A management task is the digital forensics lab's approval and acquisition phase. You must prepare a business case with a budget and submit it for approval to top management.
• Keep in mind that arguing the business case demands negotiation skills as part of the approval process. To receive approval, your case might need to be revised.

Implementation

• There must be a timeline with anticipated delivery or installation dates and anticipated completion dates.
• A plan for coordinating the timing of material and tool deliveries should also be in place.
• Include in the schedule the inspection of the hardware, software, and building construction.
• To guarantee that the items you ordered arrived and were in working order, be sure to set inspection days as well.

Acceptance Testing

• When writing the acceptance test plan, make sure you include the following tasks:
  • Check the facility to verify if it complies with the security standards for storing and managing digital evidence.
  • To ensure that all communications, including phone and network connections, operate as planned, test each one.
  • Test every piece of hardware to ensure that it functions properly; for instance, check that a computer boots into Windows.
  • Make sure all software can function on the laptops and operating systems you have in the lab before installing and starting it all.

Correction for Acceptance

• You'll be less likely to run across issues with your lab the better you plan. Any lab business, though, has challenges when it first starts up.
• Your business case must account for issues that could slow down lab production.

Production

• Your digital forensics lab can start operations once all necessary adjustments have been made.

• You now carry out the lab procedures and tasks that have been covered in this chapter.

  \n \n